Also is the First to Implement Distributed Security Auditing for Kubernetes 1.6 Deployments[UPDATE]: NeuVector open source tool and product now supports Kubernetes 1.7 and the newly release 1.8 CIS benchmark
By Gary Duan
The Center for Internet Security (CIS) recently released the Kubernetes CIS Benchmark for Kubernetes 1.6 security auditing. Many companies planning deployments or already in production will want a simple way to test compliance for the 100+ recommendations in the Kubernetes 1.6 security benchmark.
Kubernetes is a complex orchestration platform with many interconnected services, so evaluating the security of an implementation is not a simple task. In addition, there are many different implementations of Kubernetes, which makes it difficult to come up with a standard set of recommendations and tests.
NeuVector is doing two things to help companies evaluate security for Kubernetes deployments. The first is to release the open source tools for running tests for the CIS Kubernetes Benchmark on a master node and worker node. The second is to implement these test in the NeuVector container security solution so they run automatically on Kubernetes clusters being secured by NeuVector.
Open Source Tool for CIS Kubernetes Benchmark
The tools are in the form of scripts which implement tests for the 100+ recommendations in the Kubernetes 1.6 CIS Benchmark for security. They are available here at https://github.com/neuvector/kubernetes-cis-benchmark. There are different security recommendations for the Kubernetes master node and for the worker node, so there are two separate scripts.
In general the recommendations focus on auditing key security areas of Kubernetes, including:
- Use of privileged containers
- API server authentication and authorization
- Kubelet authentication
- etcd security
- Data security, e.g. files, secrets
- Certificate management
- Security for pods.
We encourage the Kubernetes security community to contribute to this open source tool and keep it updated as Kubernetes evolves. It is released under the Apache License 2.0.
Automated, Distributed Kubernetes Security Auditing by NeuVector Container Security
The Kubernetes CIS Benchmark tests have been implemented in NeuVector to simplify auditing and compliance testing of Kubernetes clusters. While it may be simple to evaluate a single master/worker cluster or a test Kubernetes implementation, it can be much more difficult to ensure continuous security compliance for a complex, dynamic Kubernetes deployment.
Because the NeuVector security container is typically already deployed on Kubernetes master and worker nodes the running of the Kubernetes CIS Benchmarks tests can be scheduled and run by the distributed NeuVector enforcer containers. The NeuVector controller centralizes the coordination of the tests and the collection and presentation of audit logs for each node. NeuVector is typically configured as a daemon set in Kubernetes to ensure that all nodes have an enforcer deployed on them.
The Kubernetes CIS Benchmark audit feature is currently in beta and you can request a trial of NeuVector at https://neuvector.com/try-neuvector. NeuVector also supports the Docker Bench for Security (CIS Docker 1.13 Benchmark) in a similar way, automatically running the Docker security audit on all nodes.
Although NeuVector is leading the development of container run-time and network security, we will also continue to support auditing, compliance, and host security for production container deployments. This will enable enterprises to deploy a layered security strategy for containers.
About the Author: Gary Duan
Gary is the Co-Founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at Fortinet, Cisco and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX and orchestration systems. He holds several patents in security and data center technology.